© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Secure IP Telephony Hardening the IP Phone
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Threats Targeting Endpoints
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Threats Targeting Endpoints Physical and web access to network configuration settings Corrupting the image and the configuration file Connected PC sniffing the voice VLAN Attacking from network, listening to the communication
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Endpoint Infiltration and Attack Endpoints can be attacked by modifying the image and configuration file. Endpoints can be wire-tapped: –Behind the switch of the IP phone –Man-in-the-middle attack with GARP Information about network infrastructure can be uncovered: –DHCP, DNS, default router, Cisco Unified CallManager, TFTP –These could be next targets of the attacks
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Possible Attack Paths Cisco Unified CallManager TFTP, SQL, Web Server 3. Attack operating system and Cisco Unified CallManager services. 4. Attack network devices and services Network Switch Attacker 4 1. Listen to conversation. 2. Modify the IP phone image or configuration, or start man-in- the-middle attack. Gateway
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Stopping Rogue Images from Entering Phones
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Phone Image Authentication Phone image authentication was introduced with Cisco CallManager Release 3.3(3): –Image signed by Cisco manufacturing –Current image verifies signature and phone model information of new image before accepting it Phone configuration file authentication was introduced with Cisco Unified CallManager Release 4.0. –Configuration file signed by Cisco Unified CallManager –Signature verified before new configuration is applied Phone configuration file encryption was introduced with Cisco Unified CallManager Release 5.0. –Configuration file encrypted by Cisco Unified CallManager –Phone decrypts received configuration file
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v IP Phones Validate Signed Firmware Image IP phone rejects image because of: Modified image from an attacker Incorrect IP phone model image Cisco Unified CallManager and TFTP Server Cisco Unified IP Phone 7961 OK Attacker with Modified Image Cisco Unified IP Phone 7961 Cisco Unified IP Phone 7912
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Phone Security Settings Overview
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Phone Security Options in Cisco Unified CallManager Protect the IP phone by disabling security settings: Speakerphone PC port Settings access GARP PC voice VLAN access Web access
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Disabling PC Port, Settings Button, and Web Access to the Phone
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Hardening the IP Phone with Product-Specific Parameters Disable the PC port: –For example, for lobby phones –Attackers do not get access to the network Disable settings access: –Disabled option deactivates the Settings button completely. –Restricted option grants access to contrast and ringer menu only.
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v IP Phone Web Service Information displayed similar to the Settings button on the IP phone Discloses information about network infrastructure Disable web access for a phone to stop the web service
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Ignoring Gratuitous ARP
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v GARP Usually ARP operates in request-response fashion. Learned MAC addresses are added to a local ARP cache. GARP packets are ARP packets that have not been requested: –Are sent by a station that announces its own MAC address –Allow update of ARP caches in receiving devices –Usually sent after MAC address changes –Can be misused for packet redirection in a man-in-the-middle attack
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v GARP Attack Stop GARP attacks by disabling GARP at the IP phones GARPI am PC of the Hacker 1. Tell the IP phone that I am the default router. 2. Listen to the communication and relay the traffic from the IP phone to the default gateway. 2
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Block PC Access to the Voice VLAN
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Voice VLAN Access at the PC By default, the IP phone sends all traffic to the PC: Including the voice VLAN traffic Allows sniffing of phone conversations at the PC PC can also send data to the voice VLAN Data VLAN 1 Voice VLAN 22 PC Also Receives Voice VLAN Traffic
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Disable PC Voice VLAN Access The IP phone will not forward voice VLAN-tagged traffic to the PC when received from the switch. The IP phone will not forward voice VLAN-tagged traffic to the switch when received from the PC. Sniffing voice VLAN traffic at the PC is impossible. For troubleshooting, sniff the network devices. Different behavior depending on phone models: –Cisco Unified IP Phone 7940 and 7960 block access to the voice VLAN only but allow PC to send and receive frames tagged with VLAN IDs other than the voice VLAN. –Enhanced phones (Cisco Unified IP Phones 7971, 7970, 7961, 7941, 7911) have an additional setting: Span to PC Port. If disabled, PC can send and receive only untagged frames. If enabled, PC can send and receive only untagged frames and frames tagged with voice VLAN ID (if voice VLAN access is enabled).
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Authentication and Encryption on Cisco Unified CallManager Administration and IP Phones
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Authentication and Encryption in Cisco Unified CallManager Environments Authentication and encryption options are available for: Signaling between IP phones (SIP and SCCP) and Cisco Unified CallManager or SRST using TLS Cisco Unified CallManager SIP digest authentication for SIP trunks and third-party SIP phones Cisco Unified CallManager intracluster communication, trunk, and gateway signaling using IPsec Media exchange between gateways or phones using SRTP SRST PSTN WAN
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Summary Attackers will try several attack paths, including attacks against the IP phones. IP phones can validate images and configuration updates. Every IP phone has specific product configuration menus. Disable settings access and web access to prevent hackers from viewing the network configuration. Disable GARP to prevent man-in-the-middle attacks. Block the PC port if no PC is attached to it, and generally block access to the voice VLAN to avoid unauthorized network access. TLS secures signaling, and SRTP secures the audio stream.
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v